Hotspot - security issues

Discussion in 'Networking Issues' started by basic, Jul 27, 2007.

  1. basic

    basic LI Guru Member

    Hi all,

    I'm planning to setup a hotspot to make our internet connection available to guests. There isn't any security (wep, wpa, mac-filtering, etc.) required for this wireless connection.

    There is one internet connection available that is being shared by a cisco router / pix-firewall. I would like to use this connection for the clients on my network as well for the wireless clients (guests).

    For security reasons, it's very important that the wireless clients can't access any resources on the network.

    About the network

    The network consists of 3 severs (Windows 2003 standard, Windows 2000 Server standard, Windows 2003 SBS) and approx. 50 clients (Win2000, WinXP, Vista).

    All network devices are being connected through a HP switch (that supports vlans).

    My goal

    As described above, the wireless clients should be able to access the internet. Preferable only on defined ports (i.E. http, https, pop3, smtp, imap).

    The wlan clients shouldn't have access to our regular network.

    The solution?

    What would be the best solution to achieve this?

    I was thinking about creating three separated network subnets (one for my network, one for the wireless clients, one for the router). I could configure one of the servers with 3 network cards (network, wlan, router) and put them in separated subnets.

    Using Routing & Remote Access on this server I could make sure that all clients can connect to the subnet in which the cisco router is, but the clients in one subnet can't connect to the clients in the other subnet (proper configuration assumed).

    In this case the wireless clients could still have access to the resources on the server running Routing & RemoteAccess. Using a dedicated server for this purpose isn't an option. A firewall on the server should do the job.

    Another solution would be creating 2 vlans on the switch. One containing all ports EXCEPT the accesspoint and another vlan containing only the accesspoint and the router.

    Please let me know your comments on the described "solutions" above.

    Thanks in advance!
  2. ifican

    ifican Network Guru Member

    What is the breakdown of equipment, cisco router and pix and wireless router? Is the cisco router wireless capable? It may not be as complicated as you have here just depends on what options you have. Also you mention a switch is it vlan capable?
  3. basic

    basic LI Guru Member

    Currently all devices (cisco router, pix, servers, clients) are all in the same subnet. The cisco router is an 800-series and doesn't offer wireless lan.

    Since there isn't an accesspoint in the network, I have to buy one.

    All network devices are being connected through a HP switch (vlan capable). Maybe the best option is restricting access by splitting up the network in two or more vlans. I haven't got much experience with vlans, so I'm not sure if this will work. However, if it works, I guess it will be more secure than using a software firewall on one of the servers.
  4. Garrett804

    Garrett804 Network Guru Member

    ok... here's an idea.

    Install the new wireless router outside of the pix that currently protects your network.

    Have the wireless router on its own subnet thus giving all the clients access to the internet but not to your internal network.

    Easy and effective fix for your network security.

    Be sure to block off all ports for file sharing like bittorrent etc to ensure that someone doesn't come bog down your connection.

    I did this for a client I had so that the public while waiting for there car's to finish being serviced could get access to the outside world so that they could work and or check e-mail etc.
  5. t4thfavor

    t4thfavor Network Guru Member

    You could set up some iptables rules so that there is only access to non-private ip address ranges from the wireless i.e no access to 192.168.x.x, 172.16.x.x etc
    I believe that way none of the clients could mess with each others boxes while on the lan. The last thing you want is script kiddies messing with the othe clients.

    EDIT: I guess that would depend on you using private IP addresses. There is a setting on my AP called AP Isolation that I believe keeps the wired/wireless networks seperate. Other than that vlans are a good bet for you. If your cisco stuff doesn't support it, wrt54g's do, so you should be able to make something work.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice